CVE-2021-24284

Kaswara Modern VC Addons <= 3.0.1 - Unauthenticated Arbitrary File Upload

EPSS 42.1%CWE-434

Vexday Risk Score

30Bajo

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS —EPSS 42.1%KEV nãoPoC —Nuclei simMetasploit —Patch —

Ciclo de vida

14 may 2021Publicada en NVD

Recomendación: Planificar corrección próxima — ya existe PoC pública.

The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.

Productos afectados

SayenThemes · Kaswara Modern VC Addons

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477 https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5